Technology Consultants
Related Service:
Infrastructure

07.12.10

Always-on secure access, with Forefront UAG DirectAccess

Windows Server 2008 R2 has introduced new functionality and features for the enterprise, including improved Hyper-V, with live migration, BranchCache, and AD improvements, including a recycle bin and managed service accounts.

But my favorite R2 feature is DirectAccess.

Every organization needs a cost-effective, unified approach to secure remote access that protects data, applications, and the internal network. DirectAccess provides all of this, with improved management for remote users and computers, secure, seamless remote access to corporate resources, and better end-user productivity.

But DirectAccess does have its challenges.

It requires IPv6 support for remote access to internal resources. This can present a challenge. Your networking team must make IP address changes on the internal network, and face the likelihood that legacy systems may not support IPv6.

But there is an answer: Forefront Unified Access Gateway!

Microsoft’s Unified Access Gateway (UAG) extends the capabilities of traditional Windows Server 2008 R2 DirectAccess, with improved scalability, availability, and extensibility.

Forefront UAG scales out the DirectAccess infrastructure in a multi-node array for high availability and DirectAccess connection load balancing. UAG can also connect to traditional IPv4 addresses on the internal network – which essentially provides access to the entire network.

Finally, Forefront UAG allows you to support down-level clients (Windows Vista, XP, and non-Windows clients) through an initial SSL VPN connection that is forwarded to the DirectAccess components for corporate resource access.

Other benefits include:

  • Users don’t have to establish the connection and/or reconnect if the Internet connection fails.
  • Group Policy settings can be deployed to DirectAccess clients whenever they are connected to the Internet, ensuring company security policies are always applied.
  • Users can log on to Active Directory from remote locations as if they were on the internal network.
  • Works with NAP (Network Access Protection) and NAC (Network Access Control) solutions to enforce consistent compliance before network access is allowed.
  • Communication with the corporate network is encrypted with IPsec, and granular access to resources is possible with an integrated firewall (Threat Management Gateway) on the UAG server.

Bottom line: Microsoft DirectAccess benefits are clear, but consider combining your DirectAccess capabilities with Forefront UAG to extend its functionality and reduce the complexity of your DirectAccess environment.